Insider Threat Programs Miss the Human Side of the Problem

Stopping insider threats relies more on addressing human problems than technological ones, according to Bill Evanina, national counterintelligence executive and director of the U.S. National Counterintelligence and Security Center.

“Where we’re missing the boat, oftentimes, is on the human resource side,” said Evanina. “At the end of the day, what we have to realize is, we’ll never stop the insider threat. The goal is to stop them before he or she decides to. We have to find a way to identify, mark them ahead of time and say, ‘hey listen, I know things are rough, you’re having problems, but there’s other options.’ ”

Bill Evanina, national counterintelligence executive and director of the U.S. National Counterintelligence and Security Center. (Photo: ODNI)

Evanina, who spoke Feb. 23 at an Institute for Critical Infrastructure Technology (ICIT) event in Washington, D.C., said data breaches from the inside are often caused by workers who have been divorced, passed up for a promotion, or had some other difficult event occur in their lives.

In addition, many breaches are the result of an employee or contractor accessing information they’re cleared to see, then taking a thumb drive or papers out of the office with them, and there is no high-tech way to prevent that.

Evanina said that many agencies and private companies have the ability to look at behavioral data, such as when a person usually logs on to their computer and deviations from that time, in order to guess if an employee has become a threat.

“They identify anomalies from a data perspective like we’ve never seen before. That’s one data point in the matrix and the mosaic that’s built up,” said Evanina, adding that it is more difficult to turn personal issues into measurable data. “How does that data get into that mosaic with security?”

“HR-provided training and awareness are consistently the initial portal through which new employees are processed and would be the point at which notice of an insider program would be conveyed, transparency established, and buy-in achieved,” said John McClurg, vice president and ambassador at large at Cylance, who also spoke at the event.

“The foundation of any such program necessarily includes policies and processes that encompass the entire employee life cycle—vetting, hiring, training, personnel management and separation—that help prevent and detect insider threats—all classically owned and advanced by an HR department,” McClurg said.

According to Evanina, some government agencies are doing well in incorporating human resource data, whereas others are less adept.

According to other ICIT speakers, there are too few professionals capable of deducing insider threat potential from human resources paperwork, let alone integrating that potential with data collected on the employee.

“The program needs to have clearly defined criteria and thresholds for conducting inquiries or investigations, referring cases to Security, Ethics, Legal or Human Resources; providing information to civilian law enforcement, government agencies, or requesting civil or criminal judicial process,” said McClurg.

Evanina said that part of the problem with insider threat is that so many incidents keep happening, making the public and organizations numb to the news.

“The only way we make it un-numb is we get it from our senior executives, our CEOs, to say ‘we can’t do this,’ ” Evanina said. “We have to work together in the government and the private sector to find solutions.”

When asked whether recently reported dips in intelligence worker morale would exacerbate the insider threat problem, Evanina said that he disagreed with the idea that there was a morale dip in the first place.

“I don’t see a dip in morale; I think the dip in morale is created by the media,” Evanina said. “We are sworn to protect, preserve, and fight for the Constitution, not for any political party.”